› The New Tax Year is Coming - Don't Make It the Year of Living Dangerously!

Instead of fighting a pitched battle with people who try to give you IT security advice which you don't like, why not think of a concession to good security practice you are prepared to make personally?

Will 2009/10 be the year in which disagreement over policies and procedures to do with computer security finally leads to pitched battles between those who advise on IT issues, and the rest of us, who merely use IT?

And, if so, who will win?

Will employees who regard themselves as Web2.0-literate finally wear down the joybusting IT wowsers and win at work those internet freedoms they enjoy at home, thus allowing them to do more with less, just as the tightening economy seems to demand?

Or will IT experts with business savvy finally clamp down on their self-serving Generation Y colleagues, eliminating risky behaviour and stopping them from goofing off on company time, just as the tightening economy seems to demand?

The truth is that a carefully-considered middle ground is needed. Some IT security advisers probably need to relax their rules a little; many Gen-Yers, on the other hand, need to start applying some simple IT rules in their own lives -- such as recognising that some of their Facebook "friends" almost certainly aren't.

So how can IT policy-makers relax without putting their companies at risk?

A good starting point is simply to avoid blanket policies -- such as "Facebook is banned" -- unless you are prepared to enforce them at all levels of the company, to all staff. Exemptions from security rules for senior staff, such as the owner of the business, are common, yet particularly insidious.

Firstly, exemptions create absurdly bad blood amongst those who aren't in the privileged group. Secondly, the on-line safety of senior staff ought to be your greatest concern. You need to get them inside the tent, as the adage goes, aiming outwards, not outside the tent aiming in.

And if you do enjoy relaxed IT policies at work, what then?

Liberal internet access from work is a privilege. It isn't your *right* to do internet banking, to book holidays and to upload your photos whilst you are at work. Even if you are allowed to do these things, make sure that you do not allow them to interfere with your work, and -- in the case of security emergencies, such as virus outbreaks or well-known browser vulnerabilities -- be prepared to accept and to obey any special restrictions to your usage policy, sometimes at short notice.

In particular, never treat the security regimen in your business as a challenge. For example, just because the company doesn't stop you accessing a particular website doesn't magically make that site suitable for use at work. Likewise, files and data which aren't explicitly labelled as company confidential are not, ipso facto, open for you to copy off the network or to send to external servers (including free email services).

Instead of fighting a pitched battle with people who try to give you IT security advice which you don't like, why not think of a concession to good security practice you are prepared to make, off your own bat?

Lead by example and others will surely follow.

Let's make the next 12 months the Year of Living Safely!

Paul Ducklin is Head of Technology, Asia Pacific at Sophos in Sydney, which is home to one of the company's four global 24/7 research labs. He joined Sophos in 1995 from the South African Council for Scientific and Industrial Research (CSIR), which is rather like Australia's CSIR. Paul is a respected industry spokesperson. He recently won the 2009 AusCERT Director's Award for Individual Excellence in Information Security.